This quickstart will guide you through installing the Chainloop CLI and performing your first attestation.

An attestation is a cryptographically signed record that verifies a software artifact or event complies with defined security policies. It is a cornerstone of DevSecOps. Typically generated in your CI/CD pipeline, an attestation captures metadata about how an artifact was built—such as references to source code, build recipes, intermediate artifacts, and environment details. This extra context enhances the trustworthiness and traceability of your automated processes.

For more details on key terminology and concepts, refer to our Glossary.

Run the following command to install the Chainloop CLI:

Refer to these instructions for more installation options.

Then log in by running:

In this Quickstart, we will use CLI for the initial setup and then later during the attestation process.

Once logged in, your next step would be to create a Chainloop organization. Think of organizations as workspaces or namespaces. To create an organization, run:

To perform an attestation process, you need to provide an API Token:

Chainloop API Tokens are commonly used (and required) in CI/CD scenarios. Tokens have narrower permissions, ensuring that they can only perform the operations they are granted. More information in API Tokens.
​

We are now ready to perform our first attestation. To learn more about its lifecycle, refer to this section.

We'll start with the initialization of an attestation. The attestation process requires the name of a workflow and a project to be associated with it. Chainloop workflows represent any CI or process you might want to attest.
​
Please check this document for a complete explanation of Workflows and Contracts. You might also want to check our contract reference.
​

We can check what kind of materials the contract expects by checking the output of attestation init command:

The contract expects a container image, an SBOM, and a vulnerability report. We can also see that the SBOM is not required, and neither is the vulnerability report, but the container image is.
​

Once attestation is initiated, we can start adding materials to it. In this case, we are adding an OCI container image. Many other material types are supported - check the updated list.

We just attested the latest version of the control-plane image as an example. Remember that you can provide any material you want to attest by pointing to a local filepath or URL, too.

In the next example we'll attest an Software Bill Of Materials (SBOM)

And the vulnerability report:

Finally, we sign and push the attestation to Chainloop for permanent preservation.

Transparently, Chainloop has signed the attestation and pushed it to the Chainloop Control Plane. You can learn more about the different signing and verification methods.
​

At this point, we've performed our first attestation, now we can just play with the Chainloop CLI or access to the web UI workflows section to learn more about the data.

Great! You've completed this guide. Now you are ready to dive deeper into our Getting Started guide.

Good luck, and have fun with Chainloop! 🚀